RapidClipse Has ReachedEnd of Life

3 min read Original article ↗

Make sure that ${owasp.version} refers to a current and supported version of OWASP Dependency-Check.

The failBuildOnCVSS value defines the vulnerability severity at which the Maven build should fail. With a value of 7, the build is stopped as soon as a high-severity vulnerability is detected.

You can adjust this value according to your security requirements. Lower values result in stricter evaluation.


Step 2: Request an NVD API Key

OWASP Dependency-Check obtains vulnerability information from the National Vulnerability Database (NVD).

You can request a free API key here: https://nvd.nist.gov/developers/request-an-api-key 

Using an API key is strongly recommended. Without one, the scan may be significantly slower and subject to stricter access limits.

Do not store the key directly in your pom.xml and do not commit it to your source code repository. Instead, use an environment variable named NVD_API_KEY or a protected secret in your CI/CD system.

For Linux or macOS:

export NVD_API_KEY="your-api-key"

For Windows PowerShell:

$env:NVD_API_KEY="your-api-key"


Step 3: Run the Scan

Run the following command:

mvn dependency-check:check

Because the plugin is integrated into the Maven build, the check can also be run as part of the regular build process:

mvn verify

The first run may take a little longer because the vulnerability database needs to be downloaded and processed first.


Step 4: Review the Report

After the scan, an HTML report is generated in the target directory:

target/dependency-check-report.html

In Maven multi-module projects, each module may generate its own report. If desired, the aggregate goal can be used to create a combined report for the entire project.

Do not evaluate the results based solely on the CVSS score. For each reported vulnerability, check:

  • Is the affected library actually used?
  • Is the vulnerable functionality reachable?
  • Is a patched version already available?
  • Is the library still actively maintained?
  • Are additional mitigation measures required?

In most cases, the solution is to update the affected dependency, the parent project, or the Bill of Materials (BOM) that manages its version. After every update, rebuild and thoroughly test the application.

False positives are possible. Suppress a finding only after it has been reviewed and documented. A suppression should never be used solely to make the build pass.


Step 5: Make Dependency Checks Part of Your Regular Process

A one-time scan is not enough. New vulnerabilities can be published at any time.

We therefore recommend:

  • integrating OWASP Dependency-Check into every CI/CD build
  • running an automated scan at least once a week
  • regularly checking available updates
  • documenting direct and transitive dependencies
  • replacing libraries that are no longer maintained
  • keeping the Java runtime and operating environment up to date

In addition, components outside the Maven project should also be reviewed regularly, including:

  • the JDK
  • the application server
  • the database
  • the operating system
  • web servers and reverse proxies
  • container base images
  • JavaScript libraries
  • build and deployment infrastructure

A stable application is not automatically a secure application. Security requires continuous monitoring, timely updates, regular testing, and a clear understanding of all components used.

If you are unsure which dependencies require special attention or whether an update can be applied safely, we will be happy to support you in analyzing your RapidClipse project and creating a practical security and modernization plan.

Book a Free Consultation